Iran, the cyber shooting range, new malware detected

On December 16th the Iranian Maher center issued an advisory warning of a new "targeted data wiping" malware discovered during an investigation.

First analysis of the center revealed that the malicious code has a simple as efficient design that allow it to wipe files on different drives in various predefined times. The malware wipes disk partitions and user profile directories avoiding ordinary anti-virus software detection, Maher advisory provided the list of components of the malware:

Ame

MD5

GrooveMonitor.exe [dropper]

f3dd76477e16e26571f8c64a7fd4a97b

juboot.exe

fa0b300e671f73b3b0f7f415ccbe9d41

jucheck.exe

c4cd216112cbc5b8c046934843c579f6

SLEEP.EXE

ea7ed6b50a9f7b31caeea372a327bd37

WmiPrv.exe

b7117b5d8281acd56648c9d08fadf630

Juboot.exe and jucheck.exe components mask disguise themselves as a Java auto update program, meanwhile the SLEEP.EXE application is a freeware tool to delay application startup.
The Trojan is distributed as a self-extracting WinRAR archive named GrooveMonitor.exe that once executed drops the components juboot.exe, jucheck.exe and SLEEP.EXE.
The malware seems to have no links with precedent cyber threats that hit the countries such as Stuxnet, Duqu and Shamoon.

Of course many antivirus producer and security companies has started the researches on the malware. SophosLabs confirmed the malware presence and the capabilities described by Maher center but doesn’t share Iranian conviction that it’s a targeted attack.

“Juboot.exe is actually a simple DOS BAT file that has been converted to a Windows PE (Portable Executable) file using a Batch to Exe Converter. It uses SLEEP.EXE to wait for two seconds, then sets a registry key to start jucheck.exe on system boot.
Upon execution jucheck.exe waits two seconds, erases GrooveMonitor.exe and juboot.exe, then checks to see if the date matches any of the following:
10-December-2012 to 12-December-2012
21-January-2013 to 23-January-2013
06-May-2013 to 08-May-2013
22-July-2013 to 24-July-2013
11-November-2013 to 13-November-2013
3-February-2014 to 5-February-2014
5-May-2014 to 7-May-2014
11-August-2014 to 13-August-2014
2-February-2015 to 4-February-2015.
If the date matches, it waits for 50 minutes, then performs a recursive delete on the aforementioned drive letters and deletes everything from the user's desktop.”

As explained by Sophos experts the malicious payload is very simple, it will also wipe all files from the victim's desktop.

Sophos research team also discovered a different variant of the malware that replaced jucheck.exe component with a new on called Wmiprv.exe and that tries to delete GrooveMonitor.exe from

C:\Documents and settings\All Users\Start Menu\Programs\Startup\

and runs in an endless loop every 50 minutes to erase the drives. Sophos commented this discovery with following statement:

“This is likely indicative of a more advanced dropper file and a way to be sure to harm machines that are not rebooted during the specified time windows.”

Roel Schouwenberg from Kaspersky lab added further interesting details revealed by the analysis conducted by his team on the malware named GrooveMonitor.

“After trying to delete all the files on a particular partition the malware runs chkdsk on said partition. I assume the attacker is trying to make the loss of all files look like a software or hardware failure. Next to these BAT2EXE files there's also a 16-bit SLEEP file, which is not malicious. 16-bit files don't actually run on 64-bit versions of Windows. This immediately gives away the malware's presence on a x64 machine.”

Symantec identified the cyber threat as Trojan.Batchwiper sharing same information of Kaspersky and Sophos.

Despite the malware appears really simple and hasn’t created great problems to the victim country it could be indicator of ongoing development of a new cyber weapon. The detected module could be designed for testing purposes or as a part of a of a broader project.
Roel Schouwenberg concluded his analysis with a very meaningful statement:

Pierluigi Paganini
I Michael ... I have a strange sensation ... I use the world "shooting range" because I believe that someone is testing new malicious code probing detection capabilities of the "unknown" defense systems of Teheran ... some one desire that we believe that this is a script kiddies work ...
But our opinions are the conseguence of misinformation ... let's see what happen in the short term.
Always thank you ... and if I don't ear you soon let me wish for you and your family all the best for this Christmas.
Regards
Pierluigi

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.